Merge pull request #3231 from DMPRoadmap/add_symbol_to_safe_yaml_list

pengyin-shan · web-flow · commit a814d68b187a · 2022-11-29T18:00:09.000-05:00
fix YAML safe load capatibility potential error
diff --git a/config/application.rb b/config/application.rb
@@ -26,6 +26,11 @@ class Application < Rails::Application
     # --------------------------------- #
     # Ensure that Zeitwerk knows to load our classes in the lib directory
     config.eager_load_paths << config.root.join('lib')
+
+    # CVE-2022-32224: add some compatibility with YAML.safe_load
+    # Rails 5,6,7 are using YAML.safe_load as the default YAML deserializer
+    config.active_record.yaml_column_permitted_classes = [ActiveSupport::HashWithIndifferentAccess, Symbol, Date, Time]
+
     # Have Zeitwerk skip generators because the generator templates are
     # incompatible with the Rails module/class naming conventions
     Rails.autoloaders.main.ignore(config.root.join('lib/generators'))
diff --git a/db/schema.rb b/db/schema.rb
@@ -666,4 +666,4 @@
   add_foreign_key "users", "departments"
   add_foreign_key "users", "languages"
   add_foreign_key "users", "orgs"
-end
+end
